Secure distributed execution of jobs

ABSTRACT

A processing unit, where the processing unit one of a group of processing units of a system, includes a processor; and memory including instructions, which when executed by the processor while avoiding interrupting a controller that does not belong to the group of processing units, cause the processor to: perform at least one iteration of the steps of: (a) entering a trusted mode, (b) selecting a selected job to be executed by the processing unit, (c) retrieving access control metadata related to the selected job, (d) entering, by the processing unit, an untrusted mode, (e) executing the selected job by the processing unit while adhering to the access control metadata related to the job, and (f) resetting the processing unit.

PRIORITY

This application claims the benefit of priority to U.S. ProvisionalPatent Application Ser. No. 63/073,647, filed Sep. 2, 2020, which isincorporated by reference herein in its entirety.

BACKGROUND

Advanced driver assistance systems (ADAS), and autonomous vehicle (AV)systems use cameras and other sensors together with object classifiers,which are designed to detect specific objects in an environment of avehicle navigating a road. Object classifiers are designed to detectpredefined objects and are used within ADAS and AV systems to controlthe vehicle or alert a driver based on the type of object that isdetected its location, etc.

As ADAS and AV systems progress towards fully autonomous operation, itwould be beneficial to protect data generated by these systems.

SUMMARY

The following detailed description refers to the accompanying drawings.Wherever possible, the same reference numbers are used in the drawingsand the following description to refer to the same or similar parts.While several illustrative embodiments are described herein,modifications, adaptations and other implementations are possible. Forexample, substitutions, additions, or modifications may be made to thecomponents illustrated in the drawings, and the illustrative methodsdescribed herein may be modified by substituting, reordering, removing,or adding steps to the disclosed methods. Accordingly, the followingdetailed description is not limited to the disclosed embodiments andexamples.

Disclosed embodiments provide systems and methods that can be used aspart of or in combination with autonomous navigation/driving and/ordriver assist technology features. Driver assist technology refers toany suitable technology to assist drivers in the navigation and/orcontrol of their vehicles, such as forward collision warning (FCW), lanedeparture warning (LDW) and traffic sign recognition (TSR), as opposedto fully autonomous driving. In various embodiments, the system mayinclude one, two or more cameras mountable in a vehicle and anassociated processor that monitor the environment of the vehicle. Infurther embodiments, additional types of sensors can be mounted in thevehicle and can be used in the autonomous navigation and/or driverassist system. In some examples of the presently disclosed subjectmatter, the system may provide techniques for processing images of anenvironment ahead of a vehicle navigating a road for training a neuralnetworks or deep learning algorithms to estimate a future path of avehicle based on images. In yet further examples of the presentlydisclosed subject matter, the system may provide techniques forprocessing images of an environment ahead of a vehicle navigating a roadusing a trained neural network to estimate a future path of the vehicle.

There are provided systems, methods, as illustrated in the claims andthe specification.

Any combination of any subject matter of any claim may be provided.

Any combination of any method and/or method step disclosed in any figureand/or in the specification may be provided.

Any combination of any unit, device, and/or component disclosed in anyfigure and/or in the specification may be provided. Non-limitingexamples of such units include a gather unit, an image processor and thelike.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject matter regarded as the invention is particularly pointed outand distinctly claimed in the concluding portion of the specification.The invention, however, both as to organization and method of operation,together with objects, features, and advantages thereof, may best beunderstood by reference to the following detailed description when readwith the accompanying drawings in which:

FIG. 1 is a block diagram representation of a system consistent with thedisclosed embodiments;

FIG. 2A is a diagrammatic side view representation of an exemplaryvehicle including a system consistent with the disclosed embodiments;

FIG. 2B is a diagrammatic top view representation of the vehicle andsystem shown in FIG. 2A consistent with the disclosed embodiments;

FIG. 2C is a diagrammatic top view representation of another embodimentof a vehicle including a system consistent with the disclosedembodiments;

FIG. 2D is a diagrammatic top view representation of yet anotherembodiment of a vehicle including a system consistent with the disclosedembodiments;

FIG. 2E is a diagrammatic representation of exemplary vehicle controlsystems consistent with the disclosed embodiments;

FIG. 3 is a diagrammatic representation of an interior of a vehicleincluding a rearview mirror and a user interface for a vehicle imagingsystem consistent with the disclosed embodiments;

FIG. 4 illustrates an example of a system;

FIG. 5 illustrates an example of a system;

FIG. 6 is an example of a control firmware executed by a processingunit;

FIG. 7 is an example of a control firmware executed by a processingunit;

FIG. 8 is an example of a control firmware executed by a processingunit;

FIG. 9 is an example of a control firmware executed by a processingunit;

FIG. 10 is an example of a control firmware executed by a processingunit;

FIG. 11 is an example of a control firmware executed by a processingunit;

FIG. 12 illustrates an example of a method;

FIG. 13 illustrates an example of a method; and

FIG. 14 illustrates an example of a method.

DETAILED DESCRIPTION OF THE DRAWINGS

In the following detailed description, numerous specific details are setforth in order to provide a thorough understanding of the invention.However, it will be understood by those skilled in the art that thepresent invention may be practiced without these specific details. Inother instances, well-known methods, procedures, and components have notbeen described in detail so as not to obscure the present invention.

The subject matter regarded as the invention is particularly pointed outand distinctly claimed in the concluding portion of the specification.The invention, however, both as to organization and method of operation,together with objects, features, and advantages thereof, may best beunderstood by reference to the following detailed description when readwith the accompanying drawings.

It will be appreciated that for simplicity and clarity of illustration,elements shown in the figures have not necessarily been drawn to scale.For example, the dimensions of some of the elements may be exaggeratedrelative to other elements for clarity. Further, where consideredappropriate, reference numerals may be repeated among the figures toindicate corresponding or analogous elements.

Because the illustrated embodiments of the present invention may for themost part, be implemented using electronic components and circuits knownto those skilled in the art, details will not be explained in anygreater extent than that considered necessary as illustrated above, forthe understanding and appreciation of the underlying concepts of thepresent invention and in order not to obfuscate or distract from theteachings of the present invention.

Any reference in the specification to a method should be applied mutatismutandis to a system capable of executing the method and should beapplied mutatis mutandis to a non-transitory computer readable mediumthat stores instructions that once executed by a computer result in theexecution of the method.

Any reference in the specification to a system and any other componentshould be applied mutatis mutandis to a method that may be executed bythe memory device and should be applied mutatis mutandis to anon-transitory computer readable medium that stores instructions thatmay be executed by the memory device. For example, there may be provideda method and/or method steps executed by the image processor describedin any one of claims. For example, there may be provided a method and/ormethod steps executed by the image processor described in any one ofclaims

Any reference in the specification to a non-transitory computer readablemedium should be applied mutatis mutandis to a system capable ofexecuting the instructions stored in the non-transitory computerreadable medium and should be applied mutatis mutandis to method thatmay be executed by a computer that reads the instructions stored in thenon-transitory computer readable medium.

Any combination of any module or unit listed in any of the figures, anypart of the specification and/or any claims may be provided. Especiallyany combination of any claimed feature may be provided.

A pixel may be a picture element obtained by a camera.

Before discussing in detail examples of features of the processingimages of an environment ahead of a vehicle navigating a road fortraining a neural networks or deep learning algorithms to estimate afuture path of a vehicle based on images or feature of the processing ofimages of an environment ahead of a vehicle navigating a road using atrained neural network to estimate a future path of the vehicle, thereis provided a description of various possible implementations andconfigurations of a vehicle mountable system that can be used forcarrying out and implementing the methods according to examples of thepresently disclosed subject matter. In some embodiments, variousexamples of the system can be mounted in a vehicle, and can be operatedwhile the vehicle is in motion. In some embodiments, the system canimplement the methods according to examples of the presently disclosedsubject matter.

However, it would be appreciated that embodiments of the presentdisclosure are not limited to scenarios where a suspected upright objectindication is caused by a high-grade road. The suspected upright objectindication can be associated with various other circumstances, and canresult from other types of image data and also from data that is notimage based or is not exclusively image based, as well.

FIG. 1, to which reference is now made, is a block diagramrepresentation of a system consistent with the disclosed embodiments.System 100 can include various components depending on the requirementsof a particular implementation. In some examples, system 100 can includea processing unit 110, an image acquisition unit 120 and one or morememory units 140, 150. Processing unit 110 can include one or moreprocessing devices. In some embodiments, processing unit 110 can includean application processor 180, an image processor 190, or any othersuitable processing device. Similarly, image acquisition unit 120 caninclude any number of image acquisition unit s and components dependingon the requirements of a particular application. In some embodiments,image acquisition unit 120 can include one or more image capture devices(e.g., cameras), such as image capture device 122, image capture device124, and image capture device 126. In some embodiments, system 100 canalso include a data interface 128 communicatively connecting processingunit 110 to image acquisition unit 120. For example, data interface 128can include any wired and/or wireless link or links for transmittingimage data acquired by image acquisition unit 120 to processing unit110.

Both application processor 180 and image processor 190 can includevarious types of processing devices. For example, either or both ofapplication processor 180 and image processor 190 can include one ormore microprocessors, preprocessors (such as image preprocessors),graphics processors, central processing units (CPUs), support circuits,digital signal processors, integrated circuits, memory, or any othertypes of devices suitable for running applications and for imageprocessing and analysis. In some embodiments, application processor 180and/or image processor 190 can include any type of single or multi-coreprocessor, mobile device microcontroller, central processing unit, etc.Various processing devices can be used, including, for example,processors available from manufacturers such as Intel®, AMD®, etc. andcan include various architectures (e.g., x86 processor, ARM®, etc.).

In some embodiments, application processor 180 and/or image processor190 can include any of the EyeQ series of processor chips available fromMobileye®. These processor designs each include multiple processingunits with local memory and instruction sets. Such processors mayinclude video inputs for receiving image data from multiple imagesensors and may also include video out capabilities. In one example, theEyeQ2® uses 90 nm-micron technology operating at 332 Mhz. The EyeQ2®architecture has two floating point, hyper-thread 32-bit RISC CPUs(MIPS32® 34K® cores), five Vision Computing Engines (VCE), three VectorMicrocode Processors (VMP®), Denali 64-bit Mobile DDR Controller,128-bit internal Sonics Interconnect, dual 16-bit Video input and 18-bitVideo output controllers, 16 channels DMA and several peripherals. TheMIPS34K CPU manages the five VCEs, three VMP™ and the DMA, the secondMIPS34K CPU and the multi-channel DMA as well as the other peripherals.The five VCEs, three VMP® and the MIPS34K CPU can perform intensivevision computations required by multi-function bundle applications. Inanother example, the EyeQ3®, which is a third-generation processor andis six times more powerful that the EyeQ2®, may be used in the disclosedexamples. In yet another example, the EyeQ4®, the fourth-generationprocessor, may be used in the disclosed examples.

While FIG. 1 depicts two separate processing devices included inprocessing unit 110, more or fewer processing devices can be used. Forexample, in some examples, a single processing device may be used toaccomplish the tasks of application processor 180 and image processor190. In other embodiments, these tasks can be performed by more than twoprocessing devices.

Processing unit 110 can include various types of devices. For example,processing unit 110 may include various devices, such as a controller,an image preprocessor, a central processing unit (CPU), supportcircuits, digital signal processors, integrated circuits, memory, or anyother types of devices for image processing and analysis. The imagepreprocessor can include a video processor for capturing, digitizing,and processing the imagery from the image sensors. The CPU can includeany number of microcontrollers or microprocessors. The support circuitscan be any number of circuits generally well known in the art, includingcache, power supply, clock, and input-output circuits. The memory canstore software that, when executed by the processor, controls theoperation of the system. The memory can include databases and imageprocessing software, including a trained system, such as a neuralnetwork, for example. The memory can include any number of random accessmemories, read only memories, flash memories, disk drives, opticalstorage, removable storage, and other types of storage. In one instance,the memory can be separate from the processing unit 110. In anotherinstance, the memory can be integrated into the processing unit 110.

Each memory 140, 150 can include software instructions that whenexecuted by a processor (e.g., application processor 180 and/or imageprocessor 190), can control operation of various aspects of system 100.These memory units can include various databases and image processingsoftware. The memory units can include random access memory, read onlymemory, flash memory, disk drives, optical storage, tape storage,removable storage, and/or any other types of storage. In some examples,memory units 140, 150 can be separate from the application processor 180and/or image processor 190. In other embodiments, these memory units canbe integrated into application processor 180 and/or image processor 190.

In some embodiments, the system can include a position sensor 130. Theposition sensor 130 can include any type of device suitable fordetermining a location associated with at least one component of system100. In some embodiments, position sensor 130 can include a GPSreceiver. Such receivers can determine a user position and velocity byprocessing signals broadcasted by global positioning system satellites.Position information from position sensor 130 can be made available toapplication processor 180 and/or image processor 190.

In some embodiments, the system 100 can be operatively connectible tovarious systems, devices and units onboard a vehicle in which the system100 can be mounted, and through any suitable interfaces (e.g., acommunication bus) the system 100 can communicate with the vehicle'ssystems. Examples of vehicle systems with which the system 100 cancooperate include: a throttling system, a braking system, and a steeringsystem.

In some embodiments, the system 100 can include a user interface 170.User interface 170 can include any device suitable for providinginformation to or for receiving inputs from one or more users of system100, including, for example, a touchscreen, microphone, keyboard,pointer devices, track wheels, cameras, knobs, buttons, etc. Informationcan be provided by the system 100, through the user interface 170, tothe user.

In some embodiments, the system 100 can include a map database 160. Themap database 160 can include any type of database for storing digitalmap data. In some examples, map database 160 can include data relatingto a position, in a reference coordinate system, of various items,including roads, water features, geographic features, points ofinterest, etc. Map database 160 can store not only the locations of suchitems, but also descriptors relating to those items, including, forexample, names associated with any of the stored features and otherinformation about them. For example, locations and types of knownobstacles can be included in the database, information about atopography of a road or a grade of certain points along a road, etc. Insome embodiments, map database 160 can be physically located with othercomponents of system 100. Alternatively or additionally, map database160 or a portion thereof can be located remotely with respect to othercomponents of system 100 (e.g., processing unit 110). In suchembodiments, information from map database 160 can be downloaded over awired or wireless data connection to a network (e.g., over a cellularnetwork and/or the Internet, etc.).

Image capture devices 122, 124, and 126 can each include any type ofdevice suitable for capturing at least one image from an environment.Moreover, any number of image capture devices can be used to acquireimages for input to the image processor. Some examples of the presentlydisclosed subject matter can include or can be implemented with only asingle-image capture device, while other examples can include or can beimplemented with two, three, or even four or more image capture devices.Image capture devices 122, 124, and 126 will be further described withreference to FIGS. 2B-2E, below.

It would be appreciated that the system 100 can include or can beoperatively associated with other types of sensors, including forexample: an acoustic sensor, a RF sensor (e.g., radar transceiver), aLIDAR sensor. Such sensors can be used independently of or incooperation with the image acquisition unit 120. For example, the datafrom the radar system (not shown) can be used for validating theprocessed information that is received from processing images acquiredby the image acquisition unit 120, e.g., to filter certain falsepositives resulting from processing images acquired by the imageacquisition unit 120, or it can be combined with or otherwise complimentthe image data from the image acquisition unit 120, or some processedvariation or derivative of the image data from the image acquisitionunit 120.

System 100, or various components thereof, can be incorporated intovarious different platforms. In some embodiments, system 100 may beincluded on a vehicle 1200, as shown in FIG. 2A. For example, vehicle1200 can be equipped with a processing unit 110 and any of the othercomponents of system 100, as described above relative to FIG. 1. Whilein some embodiments vehicle 1200 can be equipped with only asingle-image capture device (e.g., camera), in other embodiments, suchas those discussed in connection with FIGS. 2B-2E, multiple imagecapture devices can be used. For example, either of image capturedevices 122 and 124 of vehicle 1200, as shown in FIG. 2A, can be part ofan ADAS (Advanced Driver Assistance Systems) imaging set.

The image capture devices included on vehicle 1200 as part of the imageacquisition unit 120 can be positioned at any suitable location. In someembodiments, as shown in FIGS. 2A-2E and 3, image capture device 122 canbe located in the vicinity of the rearview mirror. This position mayprovide a line of sight similar to that of the driver of vehicle 1200,which can aid in determining what is and is not visible to the driver.

Other locations for the image capture devices of image acquisition unit120 can also be used. For example, image capture device 124 can belocated on or in a bumper of vehicle 1200. Such a location can beespecially suitable for image capture devices having a wide field ofview. The line of sight of bumper-located image capture devices can bedifferent from that of the driver. The image capture devices (e.g.,image capture devices 122, 124, and 126) can also be located in otherlocations. For example, the image capture devices may be located on orin one or both of the side mirrors of vehicle 1200, on the roof ofvehicle 1200, on the hood of vehicle 1200, on the trunk of vehicle 1200,on the sides of vehicle 1200, mounted on, positioned behind, orpositioned in front of any of the windows of vehicle 1200, and mountedin or near light figures on the front and/or back of vehicle 1200, etc.The image capture unit 120, or an image capture device that is one of aplurality of image capture devices that are used in an image captureunit 120, can have a field-of-view (FOV) that is different than the FOVof a driver of a vehicle, and not always see the same objects. In oneexample, the FOV of the image acquisition unit 120 can extend beyond theFOV of a typical driver and can thus image objects which are outside theFOV of the driver. In yet another example, the FOV of the imageacquisition unit 120 is some portion of the FOV of the driver. In someembodiments, the FOV of the image acquisition unit 120 corresponding toa sector which covers an area of a road ahead of a vehicle and possiblyalso surroundings of the road.

In addition to image capture devices, vehicle 1200 can be includevarious other components of system 100. For example, processing unit 110may be included on vehicle 1200 either integrated with or separate froman engine control unit (ECU) of the vehicle. Vehicle 1200 may also beequipped with a position sensor 130, such as a GPS receiver and may alsoinclude a map database 160 and memory units 140 and 150.

FIG. 2A is a diagrammatic side view representation of a vehicle imagingsystem according to examples of the presently disclosed subject matter.FIG. 2B is a diagrammatic top view illustration of the example shown inFIG. 2A. As illustrated in FIG. 2B, the disclosed examples can include avehicle 1200 including in its body a system 100 with a first imagecapture device 122 positioned in the vicinity of the rearview mirrorand/or near the driver of vehicle 1200, a second image capture device124 positioned on or in a bumper region (e.g., one of bumper regions1210) of vehicle 1200, and a processing unit 110.

As illustrated in FIG. 2C, image capture devices 122 and 124 may both bepositioned in the vicinity of the rearview mirror and/or near the driverof vehicle 1200. Additionally, while two image capture devices 122 and124 are shown in FIGS. 2B and 2C, it should be understood that otherembodiments may include more than two image capture devices. Forexample, in the embodiment shown in FIG. 2D, first, second, and thirdimage capture devices 122, 124, and 126, are included in the system 100of vehicle 200.

As shown in FIG. 2D, image capture devices 122, 124, and 126 may bepositioned in the vicinity of the rearview mirror and/or near the driverseat of vehicle 1200. The disclosed examples are not limited to anyparticular number and configuration of the image capture devices, andthe image capture devices may be positioned in any appropriate locationwithin and/or on vehicle 1200.

It is also to be understood that disclosed embodiments are not limitedto a particular type of vehicle 1200 and may be applicable to all typesof vehicles including automobiles, trucks, trailers, motorcycles,bicycles, self-balancing transport devices and other types of vehicles.

The first image capture device 122 can include any suitable type ofimage capture device. Image capture device 122 can include an opticalaxis. In one instance, the image capture device 122 can include anAptina M9V024 WVGA sensor with a global shutter. In another example, arolling shutter sensor can be used. Image acquisition unit 120, and anyimage capture device which is implemented as part of the imageacquisition unit 120, can have any desired image resolution. Forexample, image capture device 122 can provide a resolution of 1280×960pixels and can include a rolling shutter.

Image acquisition unit 120, and any image capture device which isimplemented as part of the image acquisition unit 120, can includevarious optical elements. In some embodiments one or more lenses can beincluded, for example, to provide a desired focal length and field ofview for the image acquisition unit 120, and for any image capturedevice which is implemented as part of the image acquisition unit 120.In some examples, an image capture device which is implemented as partof the image acquisition unit 120 can include or be associated with anyoptical elements, such as a 6 mm lens or a 12 mm lens, for example. Insome examples, image capture device 122 can be configured to captureimages having a desired (and known) field-of-view (FOV).

The first image capture device 122 may have a scan rate associated withacquisition of each of the first series of image scan lines. The scanrate may refer to a rate at which an image sensor can acquire image dataassociated with each pixel included in a particular scan line.

FIG. 2E is a diagrammatic representation of vehicle control systems,according to examples of the presently disclosed subject matter. Asindicated in FIG. 2E, vehicle 1200 can include throttling system 1220,braking system 1230, and steering system 1240. System 100 can provideinputs (e.g., control signals) to one or more of throttling system 1220,braking system 1230, and steering system 1240 over one or more datalinks (e.g., any wired and/or wireless link or links for transmittingdata). For example, based on analysis of images acquired by imagecapture devices 122, 124, and/or 126, system 100 can provide controlsignals to one or more of throttling system 1220, braking system 1230,and steering system 1240 to navigate vehicle 1200 (e.g., by causing anacceleration, a turn, a lane shift, etc.). Further, system 100 canreceive inputs from one or more of throttling system 1220, brakingsystem 1230, and steering system 1240 indicating operating conditions ofvehicle 1200 (e.g., speed, whether vehicle 1200 is braking and/orturning, etc.).

As shown in FIG. 3, vehicle 1200 may also include a user interface 170for interacting with a driver or a passenger of vehicle 1200. Forexample, user interface 170 in a vehicle application may include a touchscreen 1320, knobs 1330, buttons 1340, and a microphone 1350. A driveror passenger of vehicle 1200 may also use handles (e.g., located on ornear the steering column of vehicle 1200 including, for example, turnsignal handles), buttons (e.g., located on the steering wheel of vehicle1200), and the like, to interact with system 100. In some embodiments,microphone 1350 may be positioned adjacent to a rearview mirror 1310.Similarly, in some embodiments, image capture device 122 may be locatednear rearview mirror 1310. In some embodiments, user interface 170 mayalso include one or more speakers 1360 (e.g., speakers of a vehicleaudio system). For example, system 100 may provide various notifications(e.g., alerts) via speakers 1360.

As will be appreciated by a person skilled in the art having the benefitof this disclosure, numerous variations and/or modifications may be madeto the foregoing disclosed embodiments. For example, not all componentsare essential for the operation of system 100. Further, any componentmay be located in any appropriate part of system 100 and the componentsmay be rearranged into a variety of configurations while providing thefunctionality of the disclosed embodiments. Therefore, the foregoingconfigurations are examples and, regardless of the configurationsdiscussed above, system 100 can provide a wide range of functionality toanalyze the surroundings of vehicle 1200 and, in response to thisanalysis, navigate and/or otherwise control and/or operate vehicle 1200.Navigation, control, and/or operation of vehicle 1200 may includeenabling and/or disabling (directly or via intermediary controllers,such as the controllers mentioned above) various features, components,devices, modes, systems, and/or subsystems associated with vehicle 1200.Navigation, control, and/or operation may alternately or additionallyinclude interaction with a user, driver, passenger, passerby, and/orother vehicle or user, which may be located inside or outside vehicle1200, for example by providing visual, audio, haptic, and/or othersensory alerts and/or indications.

As discussed below in further detail and consistent with variousdisclosed embodiments, system 100 may provide a variety of featuresrelated to autonomous driving, semi-autonomous driving and/or driverassist technology. For example, system 100 may analyze image data,position data (e.g., GPS location information), map data, speed data,and/or data from sensors included in vehicle 1200. System 100 maycollect the data for analysis from, for example, image acquisition unit120, position sensor 130, and other sensors. Further, system 100 mayanalyze the collected data to determine whether or not vehicle 1200should take a certain action, and then automatically take the determinedaction without human intervention. It would be appreciated that in somecases, the actions taken automatically by the vehicle are under humansupervision, and the ability of the human to intervene adjust abort oroverride the machine action is enabled under certain circumstances or atall times. For example, when vehicle 1200 navigates without humanintervention, system 100 may automatically control the braking,acceleration, and/or steering of vehicle 1200 (e.g., by sending controlsignals to one or more of throttling system 1220, braking system 1230,and steering system 1240). Further, system 100 may analyze the collecteddata and issue warnings, indications, recommendations, alerts, orinstructions to a driver, passenger, user, or other person inside oroutside of the vehicle (or to other vehicles) based on the analysis ofthe collected data. Additional details regarding the various embodimentsthat are provided by system 100 are provided below.

Any value illustrated in the specification is a non-limiting example ofa number of values. Other values may be provided—values that may belower than the value mentioned in the application and/or values thatexceed the value mentioned in the application.

Systems that include multiple processing units usually execute multipleprocesses, whereas each process may include a plurality of jobs. Theefficient execution of the multiple processes requires a dynamicallocation of the jobs between the multiple processing units.

A processing unit may be a hardware accelerator, a general purpose unit,a central processing unit (CPU), a system on chip (SOC), an imageprocessor, a graphic processing unit (GPU), a field programmable gatearray (FPGA), an application specific integrated circuit (ASIC), aneural network processor, and the like.

The processing units may share memory resources, but a processing unitthat executes a job of a certain process may corrupt data related toanother process by writing to memory resources allocated to anotherprocess.

In order to prevent the data corruption, access control metadata that isassociated with each process has to be uploaded to each processing unitbefore an execution of a job related to the process.

The management of the multiple processing units, and especially theloading of the access control metadata is a burdensome task, may also behighly complex and may require a dedicated controller for scheduling theexecution of different jobs by the processing units.

The dedicated controller is usually interrupted when a processing unitcompletes a job, and once interrupted, the dedicated controller has todetermine the next job to be executed by the processing unit. Oncedetermined, the dedicated controller has to set the access controlmetadata that is associated with the j ob.

The dedicated controller may become a bottleneck that may reduce thethroughput of the system—especially when the at least some of theprocessing units are relatively spaced apart from the dedicatedcontroller.

There may be provided a distributed job allocation and execution schemein which the processing units may execute jobs, and upload the processspecific access control metadata in an autonomous manner orsubstantially autonomous manner—in the sense that the dedicatedcontroller does not intervene or does not substantially intervene. Thededicated controller can be regarded as not intervening or notsubstantially intervening when during at least a majority of times thatjobs are executed by the processing units—the dedicated controller isnot interrupted.

The processing units may access job queues and select which job toexecute. The processing units may upload (automatically or only whenrequired) the process specific access control metadata withoutintervention of a dedicated controller.

The selection of a job may involve updating job metadata (for examplewhich job is selected by a processing unit, whether a job was completed)without intervention of a dedicated controller.

A processing unit may allocate a job to another processing unit byupdating job metadata.

The update of job metadata and/or the update of the access control unitshould be executed in a secure manner that prevents corruption of thejob metadata. Furthermore, the update of the job metadata should be donein a secure manner to prevent hacking.

There is provided a system, a method and a computer readable medium thatenable a processing unit to perform sensitive operations. Sensitiveoperations include those that affect a job's execution or state.Examples of sensitive operations include those that create or modify jobdata or metadata, create or change job access control, or control jobexecution.

A sensitive operation may include selecting a job.

A sensitive operation may include updating job metadata.

A sensitive operation may include updating the access control metadataof the processing unit (prior to execution of a job).

A sensitive operation may include an allocation of a job to anotherprocessing unit.

A processing unit may be configured to perform one or more sensitiveoperations when the processing unit operates in a trusted mode. Asensitive operation may not be executed when the processing unit is inan untrusted mode.

A trusted mode is a mode in which a processing unit may executesensitive operations. When in an untrusted mode the processing unit isnot allowed to execute sensitive operations.

A processing unit may be configured to enter the trusted mode followinga reset, and during boot process.

The processing unit may be configured to exit the trusted mode aftercompleting the execution of one or more sensitive operations.

The processing unit may execute a job in an untrusted mode and thenreset itself and return to the trusted mode.

Updating some job metadata such as counters and/or pointers can be doneby using an atomic command execution unit.

The atomic command execution unit may implement locks, counters,barriers and interrupt aggregation that enables synchronization ofmultiple processing units. The atomic command execution unit may supportother functions.

An atomic command executed by a certain thread is seen by other threadsas happening instantaneously. An atomic command may include severalcommands that are linked to each other. For example, a read-modify-writeatomic command may include a read command and a modify/write command.

The atomic command execution unit may be memory mapped in the sense thatit can be accessed using addresses of one or more dedicated addressranges within an address space. The one or more dedicated address rangesare accessible to the processing units.

The atomic command execution unit may include (i) an interface that isconfigured to receive, from multiple processing units, multiple memorymapped atomic commands; and (ii) at least one circuit that is configuredto successfully execute the atomic commands and generate output valueswithout intervention from the multiple processing units even when asuccessful execution of an atomic command is preceded by a failure toexecute the atomic command. The interface may be further configured tooutput completion indications regarding a completion of the atomiccommands to the multiple processing units and/or return values.

Additionally or alternatively, the at least one more circuits of theatomic command execution unit may be configured to successfully executethe atomic commands and generate output values without intervention frommultiple processing units; wherein successfully executing of the atomiccommands may include repeating an execution of at least one atomiccommand until the at least one atomic command is successfully executed.

The terms “unit”, “component”, and “module” are used in aninterchangeable manner.

FIG. 4 illustrates an example of a system 200.

System 200 may be an integrated circuit, may include more than a singleintegrated circuit (e.g., two, three, . . . , n), may include componentsother than one or more integrated circuits, and the like.

In the example shown in FIG. 4, system 200 includes eight clusters201-208 of processing units of four different types, where processingunits of the same cluster share a shared cache.

The number of clusters may differ from eight. There may be fewer thanfour types of processing units or more than four types of processingunits in each cluster. Additionally or alternatively, the processingunits of a cluster may each have their own cache device. In anotherembodiment, a shared cache may be used among fewer than all of theprocessing units in a cluster. For instance, there may be eightprocessing units in a cluster with each pair sharing a cache, resultingin four caches in the cluster. The caches may be stored on the samememory device or on separate memory devices. It should be noted that aprocessing unit may or may not include a cache.

In the example shown in FIG. 4, each one of clusters 201-208 includeseight processing units, three of the first type (PU_T1 211), two of thesecond type (PU_T2 212), two of a third type (PU_T3 213) and one of afourth type (PU_T4 214).

It should be noted that there may be any number of processing units percluster, that there may be any type of processing units in a cluster,and that there may be any number of any type of processing unit in acluster.

In FIG. 4 the clusters are illustrated as including the same number andtypes of processing units per cluster.

It should be noted that the clusters may differ from one another by thenumber of processing units, by the type of processing units and/or bythe number of processing units per type.

The eight clusters are coupled to an interconnect 230. The interconnect230 may be coupled to a controller 232, volatile memory 234, and atomiccommand execution unit 236. Any other combination of clusters and memoryunits of different types may be provided. There may be any number ofmemory units of any kind.

FIG. 4 also illustrates various data structures stored in the system.Parts of the data structures may be stored in any manner in any of thememory units illustrated in FIG. 4—or in any other manner.

The data structures may include a queue data structure (Queue DS) 250,access control data structure (“access control DS”) 244, and pointerdata structure (“pointer DS” 240).

Queue DS 250 may include any type of queues including, for example:

-   -   1) Queues allocated per a processing unit (such as sixty-four        processing unit queues PU1Q-PU64Q 268(1)-268(64)—one per        processing unit).    -   2) Queues allocated per a type from the different types of the        processing units (such as four type queues T1Q-T4Q 261-264).    -   3) Queues allocated per cluster (such as eight cluster queues        C1Q-C8Q 251-258).

It should be noted that any other arrangement of queues may be provided,that the number of processing unit queues may differ from 64 (it may bemore or less), that the number of type queues may differ from four, thatthe number of cluster queue may differ from eight.

The access control DS 244 may store access control metadata fordifferent processes. The access control metadata may define, forexample, which queue may be accessed by a processing unit when executinga job of a process, and which other memory entries are available whenexecuting a job related to a certain process.

The pointer DS 240 may store pointers to different queues. For example,the pointer DS 240 may maintain, per queue, a write pointer for writingthe next job descriptor, and a read pointer for reading a next jobdescriptor from a queue. The pointer DS 240 may be managed by the atomiccommand execution unit 236, but may be managed in any other manner.

A processing unit of the system may be configured to perform at leastone iteration (without interrupting a controller that belongs to thegroup), an iteration including the following operations: (a) enter atrusted mode, (b) select (from queue DS 250) a selected job, (c)retrieve (automatically or only when it is determined that the retrievalis required) from access control DS 244, access control metadata relatedto the selected job, (d) enter an untrusted mode, (e) execute theselected job while adhering to the access control metadata related tothe job, and (e) reset.

Regarding step (b)—a processing unit may automatically retrieve theaccess control metadata related to the job during each boot sequence.

Alternatively, the processing unit may check whether the retrieval isrequired. This may include checking if a previously stored accesscontrol metadata (from a previous job) is relevant to the current joband if so, retrieval of the access control metadata can be skipped.

For example, the access control metadata may be process specific andwhen the processing unit executes a sequence of jobs that belong to thesame process the processing unit may not need to retrieve the accesscontrol metadata more than once during the sequence and may thus skipthe retrieval operation for any one or more jobs that are included inthe same process.

The iterations are executed in an autonomous manner or a substantialautonomous manner—so that at least a majority of the iterations may beexecuted without interrupting a controller 232.

The initiation of the trusted mode may be activated during a bootprocess following a reset of the processing unit.

The multiple iterations may be executed by the processing unitautonomously—thus without intervention of the controller. The controllermay allocate its resources to tasks other than intervening in themultiple iterations.

The execution of the selected job may be followed by reporting acompletion of the selected job. This may be executed in various manners,for example by writing a completion identifier to completion queue“complete Q 272”.

A processing unit may be configured to allocate an allocated job toanother processing unit. The allocating may include updating, by theprocessing unit and while in the trusted mode, metadata related to anexecution of the allocated job. For example—writing a job descriptorinto a queue accessible by the other processing units. The selection ofthe other processing unit may be executed in any manner.

The updating of the metadata (related to the job allocation) may includeupdating a queue pointer, using an atomic command execution unit. Thismay involve executing an atomic read modify write command.

The updating of the metadata (related to the job allocation) may beexecuting during the execution of the selected job or following theexecution of the selected job, but before the resetting of the firstprocessing unit.

The updating of the metadata (related to the job allocation) may beexecuting during the execution of the selected job or following theexecution of the selected job, but after the next resetting of the firstprocessing unit

The controller 232 may control the processing unit by sending controlmessages that control a mode of operation of the processing units. Forexample, allocating one or more processing units for executing rare buturgent jobs that are flagged in a manner that is identified by theprocessing unit, and the like. The controller 232 may be informed abouta job that should be deemed rare and urgent. Alternatively, thecontroller may receive urgency information regarding the urgency of thejob and may then determine the rarity of the job. A rate task may be,for example, a task that is executed less frequent (for example—by afactor of few tens till few hundreds—and even more) than a mostfrequency executed task. The control firmware executed by the processingunit may include searching for a command and if such command exist, thecommand is executed even when the execution involves entering an idlemode or otherwise delaying or preventing execution of further iterationsof one or more steps (a)-(e).

A processing unit may be configured to retrieve, while in the trustedmode, one or more commands originated from the controller (for exampleretrieving from command queue (“COMMAND Q”) 270. The retrieval isfollowed by execution of the commands.

FIG. 5 illustrates an example of a system 200′.

System 200′ differs from system 200 by including an additional set ofqueues in queue DS 250′ that store priority levels (cluster priorityqueues 271-278, type priority queues 281-284, processing unit priorityqueues 288(1)-288(64) and command priority queue 290), where thepriority levels may differ from each other.

There may be more than one set of priority queues for supporting morethan one priority level.

Priority levels may be supported in other manners, for example by usinga single queue for storing jobs of different levels and associatingpriority metadata with the job descriptors. This may reduce the numberof queues but may complicate the selection of a job.

Any of the mentioned above systems may support or host user application,runtime code, drivers and the like.

For example, user applications may interact with the Runtime via theRuntime API to submit programs for execution on the processing units.The Runtime may interact with the user mode driver to submit a graph ofjobs for processing. The Runtime may get notifications on jobcompletions from the user mode driver.

A user mode driver may interact with the processing unit kernel modedriver to submit jobs for execution on the processing units.

The processing unit kernel mode driver may interact with a job queue, toenqueue jobs for execution by the control firmware.

A job may be associated with one or more attribute out of priority,cluster, processing unit and type. A job associated with one attributeonly may be stored in a single queue associated with that attribute. Ajob associated with multiple attributes may be duplicated and stored inqueues related to each one of the attributed. Alternatively, the job maybe stored in a certain queue associated with one of the attributed andthe system may maintain linking metadata that may link other queuesassociated with other attributes to that certain queue. The queues maybe managed in any manner. Yet for another example, there may be provideda queue per a combination of attributes.

FIGS. 6-11 illustrate examples of control firmware (CF) executed by aprocessing unit.

FIG. 6 illustrates an example of a CF 300(1) that begins with a bootcode 3001, followed by job execution code 320, and ends with atermination code 330.

The boot code 3001 may include code 302 for entering a secure mode, code304 for selecting a job, code 306 for retrieving access control metadatarelated to the selected job, and code 308 for exiting the secure mode.

The job execution code 320 includes code for executing the selected codewhile in an untrusted mode and while adhering to the access controlmetadata.

The termination code 330 may include a reset code 332 for resetting theprocessing unit. This will result in rebooting the processing unit.

FIG. 7 illustrates an example of a CF 300(2) that begins with a bootcode 3002, followed by job execution code 320, and ends with atermination code 330.

The boot code 3002 of CF 300(2) differs from the boot code 3001 of CF300(1). The boot code of CF 300(2) includes code 305 for checkingwhether to retrieve the access control metadata related to the selectedjob.

Code 304 for selecting of the job is followed by code 305 for checkingwhether there is a need to retrieve access control metadata related tothe selected job. If yes, then code 305 is followed by code 306 forretrieving access control metadata related to the selected job. If no,then code 305 is followed by code 308 for exiting the secure mode.

FIG. 8 illustrates an example of a CF 300(3) that starts by a boot code3003, followed by job execution code 320, and ends in a termination code330.

The boot code 3003 of CF 300(3) differs from the boot code 3001 of CF300(1) by including code 305′ for checking whether the selected job isthe last process (last process is the process related to the lastexecuted job).

If yes, then code 305′ is followed by code 306 for retrieving accesscontrol metadata related to the selected job.

If no, then code 305′ is followed by code 308 for exiting the securemode.

FIGS. 9-11 illustrate examples of CF 300(4)-300(6) that involve code forallocating a job to another processing unit. They include boot codes3004-3006.

FIG. 9 illustrates a CF 300(4) and an example of a process that includesjobs, where some of the jobs (for example job_D 404) may be executedafter a completion of other jobs (for example jobs A-C 401-403).Assuming that job_D 404 requires a different processing unit than theprocessing unit executing jobs B and C, the processing unit thatexecuted jobs B and C may allocate the execution of job D to thedifferent processing unit following a completion of jobs B and C.

CF 300(4) may start with a boot code 3004, followed by job executioncode 320, and ends with a termination code 330.

The boot code 3004 may include code 302 for entering a secure mode, code311 for retrieving state metadata, code 315 for checking if the statemetadata is indicative that job allocation to another processing unitshould be complete.

If so, then code 315 is followed by code 316 of completing joballocation to another processing unit (for example writing jobdescriptor to a queue associated with the other processing unit—may be aprocessing unit queue, a cluster queue, a type queue, and the like).

Else, code 315 is followed by code 304 for selecting a job, reachingcode 305 for checking whether there is a need to retrieve access controlmetadata related to selected job.

If yes, code 305 may be following by code 306 for retrieving accesscontrol metadata related to the selected job.

If no, code 305 may be followed by jumping to code 308 for exiting thesecure mode.

FIG. 10 illustrates an example of a CF 300(5) that begins with a bootcode 3005, followed by job execution code 320, and ends with atermination code 330.

The boot code 3005 may include code 302 for entering a secure mode, code311 for retrieve state metadata, code 315 for checking if the statemetadata is indicative that job allocation to another processing unitshould be complete.

If so, then code 315 is followed by code 316 of completing joballocation to another processing unit (for example writing jobdescriptor to a queue associated with the other processing unit—may be aprocessing unit queue, a cluster queue, a type queue, and the like).

Else, code 315 is followed by code 304 of selecting a job, code 306 ofretrieving access control metadata related to the selected job, and code308 for exiting the secure mode.

In FIG. 11 the job reallocation to another processing unit is executedby entering a secured mode following the job execution code 302 andbefore resetting the processing unit.

FIG. 11 illustrates an example of a CF 300(6) that begins with by a bootcode 3006, followed by job execution code 320, and ends with atermination code 330.

The termination code 330 include code 331 for reentering the securemode, and code 333 for performing job allocation to another processingunit.

Termination code 330 also includes reset code 332.

Any combination of codes may be provided.

The reset may immediately follow by the termination code or may bedelayed by a certain predefined delay or adjustable delay—depending upona definition of the reset process. The predefined delay and/or theadjustable delay may be determined in any manner.

Note that codes using the same number illustrated in FIGS. 6-11 may bethe same code from figure to figure or may differ slightly but have thesame or substantially similar functional ability. For example, exitsecure mode code 308 may have the same code in FIGS. 6 and 7, or may beslightly different in their contents but have the same functionaleffect.

FIG. 12 is an example of a method 500 for job execution.

Method 500 may start by step 510 of repeating by each processing unit ofa group of processing units of a system, multiple iterations thatinclude the following steps: (a) entering a trusted mode (520), (b)selecting (530) a selected job to be executed by the processing unit,(c) retrieving (540) access control metadata related to the selectedjob, (d) entering (550), by the processing unit, an untrusted mode, (e)executing (560) the selected job by the processing unit while adheringto the access control metadata related to the job, (e) resetting (570)the processing unit; and (f) jumping to step 520.

The group of processing units may be all the processing units of asystem (for example all 64 processing units of system 200), or mayinclude only some of the processing units of the system.

Step 510 may be executed without intervention of the controller

At least a majority of the iterations of step 510 may be executedwithout interrupting a controller of the system, the controller does notbelong to the group of processing units.

The step 520 may be executed during a boot process following theresetting of the processing unit.

Step 540 may include selecting the selected job out of multiple jobqueues. The processing units of the group may be of different types, maybe arranged in clusters. The selecting of the job may include selectinga job having a job descriptor included in any one of queues allocatedper a processing unit, queues allocated per type of the different typesof the processing units, and queues that are allocated per cluster ofthe clusters.

Step 560 may include reporting a completion of the selected job.

It should be noted that step 510 may include determining by eachprocessing unit whether there are controller defined commends to beexecuted and if so—executing the controller defined commands.

FIG. 13 is an example of a method 501 for job execution.

Method 501 differs from method 500 by including step 535 of checking ifstep 540 is required—and if not—jumping to step 550 without executingstep 540. Else—executing step 540 and then step 550.

Step 560 may include storing state metadata indicative of a process thatincluded a last job previously executed by the processing unit.

Step 535 may include determining whether the selected job belongs to theprocess (access control metadata of which is accessible to theprocessing unit). When the selected job belongs to the process then thecontroller may be configured to skip the retrieval of the access controlmetadata related to the selected job—and jumping to step 550.

FIG. 14 is an example of a method 502 for job execution.

Method 502 differs from method 500 by including step 580 ofreallocating, by the processing unit, an allocated job to anotherprocessing unit of the group.

The reallocation may be executed between steps 520 and 550, may beexecuted between steps 550 and 570, may be partially executed betweensteps 520 and 550 and partially executed between steps 550 and 570.

Step 580 may include executing a control firmware—for example executingany one of control firmware units 300(4)-300(6).

Step 580 may include generating or using metadata related toreallocation of the job.

The updating of the metadata may include updating a queue pointer, usingan atomic command execution unit.

Step 580 may include storing state metadata indicative of a process thatincluded a last job previously executed by the processing unit. Theselection of the selected job may be followed by determining whether theselected job belongs to the process; wherein when the selected jobbelongs to the process then avoiding the retrieval of the access controlmetadata related to the selected job.

In another embodiment, a method includes performing by a processing unitof a group of processing units of a system, one or more iterations thatcomprises the steps of: (a) entering a trusted mode, (b) selecting aselected job to be executed by the processing unit, (c) retrievingaccess control metadata related to the selected job, (d) entering, bythe processing unit, an untrusted mode, (e) executing the selected jobby the processing unit while adhering to the access control metadatarelated to the job, and (f) resetting the processing unit; andtransmitting an interrupt to a controller after the one or moreiterations, the controller separate from the processing unit.

Any of the mentioned above memory or storage units may be implementedusing any known technologies such as a volatile or nonvolatile memoryincluding semiconductor-based memory units such as flash memory, EEPROM,EPROM, ROM; ferromagnetic digital memories; MRAM; volatile storage mediaincluding registers, buffers or caches, main memory, RAM, DRAM, SRAM,etc.

Any reference to any of the terms “comprise”, “comprises”, “comprising”“including”, “may include” and “includes” may be applied to any of theterms “consists”, “consisting”, “and consisting essentially of”. Forexample—any of method describing steps may include more steps than thoseillustrated in the figure, only the steps illustrated in the figure orsubstantially only the steps illustrate in the figure. The same appliesto components of a device, processor or system and to instructionsstored in any non-transitory computer readable storage medium.

The invention may also be implemented in a computer program for runningon a computer system, at least including code portions for performingsteps of a method according to the invention when run on a programmableapparatus, such as a computer system or enabling a programmableapparatus to perform functions of a device or system according to theinvention. The computer program may cause the storage system to allocatedisk drives to disk drive groups.

A computer program is a list of instructions such as a particularapplication program and/or an operating system. The computer program mayfor instance include one or more of: a subroutine, a function, aprocedure, an object method, an object implementation, an executableapplication, an applet, a servlet, a source code, an object code, ashared library/dynamic load library and/or other sequence ofinstructions designed for execution on a computer system.

The computer program may be stored internally on a non-transitorycomputer readable medium. All or some of the computer program may beprovided on computer readable media permanently, removably or remotelycoupled to an information processing system. The computer readable mediamay include, for example and without limitation, any number of thefollowing: magnetic storage media including disk and tape storage media;optical storage media such as compact disk media (e.g., CD-ROM, CD-R,etc.) and digital video disk storage media; nonvolatile memory storagemedia including semiconductor-based memory units such as flash memory,EEPROM, EPROM, ROM; ferromagnetic digital memories; MRAM; volatilestorage media including registers, buffers or caches, main memory, RAM,etc.

A computer process typically includes an executing (running) program orportion of a program, current program values and state information, andthe resources used by the operating system to manage the execution ofthe process. An operating system (OS) is the software that manages thesharing of the resources of a computer and provides programmers with aninterface used to access those resources. An operating system processessystem data and user input, and responds by allocating and managingtasks and internal system resources as a service to users and programsof the system.

The computer system may for instance include at least one processingunit, associated memory and a number of input/output (I/O) devices. Whenexecuting the computer program, the computer system processesinformation according to the computer program and produces resultantoutput information via I/O devices.

In the foregoing specification, the invention has been described withreference to specific examples of embodiments of the invention. It will,however, be evident that various modifications and changes may be madetherein without departing from the broader spirit and scope of theinvention as set forth in the appended claims.

Moreover, the terms “front,” “back,” “top,” “bottom,” “over,” “under”and the like in the description and in the claims, if any, are used fordescriptive purposes and not necessarily for describing permanentrelative positions. It is understood that the terms so used areinterchangeable under appropriate circumstances such that theembodiments of the invention described herein are, for example, capableof operation in other orientations than those illustrated or otherwisedescribed herein.

The connections as discussed herein may be any type of connectionsuitable to transfer signals from or to the respective nodes, units ordevices, for example via intermediate devices. Accordingly, unlessimplied or stated otherwise, the connections may for example be directconnections or indirect connections. The connections may be illustratedor described in reference to being a single connection, a plurality ofconnections, unidirectional connections, or bidirectional connections.However, different embodiments may vary the implementation of theconnections. For example, separate unidirectional connections may beused rather than bidirectional connections and vice versa. Also,plurality of connections may be replaced with a single connection thattransfers multiple signals serially or in a time multiplexed manner.Likewise, single connections carrying multiple signals may be separatedout into various different connections carrying subsets of thesesignals. Therefore, many options exist for transferring signals.

Although specific conductivity types or polarity of potentials have beendescribed in the examples, it will be appreciated that conductivitytypes and polarities of potentials may be reversed.

Each signal described herein may be designed as positive or negativelogic. In the case of a negative logic signal, the signal is active lowwhere the logically true state corresponds to a logic level zero. In thecase of a positive logic signal, the signal is active high where thelogically true state corresponds to a logic level one. Note that any ofthe signals described herein may be designed as either negative orpositive logic signals. Therefore, in alternate embodiments, thosesignals described as positive logic signals may be implemented asnegative logic signals, and those signals described as negative logicsignals may be implemented as positive logic signals.

Furthermore, the terms “assert” or “set” and “negate” (or “deassert” or“clear”) are used herein when referring to the rendering of a signal,status bit, or similar apparatus into its logically true or logicallyfalse state, respectively. If the logically true state is a logic levelone, the logically false state is a logic level zero. And if thelogically true state is a logic level zero, the logically false state isa logic level one.

Those skilled in the art will recognize that the boundaries betweenlogic blocks are merely illustrative and that alternative embodimentsmay merge logic blocks or circuit elements or impose an alternatedecomposition of functionality upon various logic blocks or circuitelements. Thus, it is to be understood that the architectures depictedherein are merely exemplary, and that in fact many other architecturesmay be implemented which achieve the same functionality.

Any arrangement of components to achieve the same functionality iseffectively “associated” such that the desired functionality isachieved. Hence, any two components herein combined to achieve aparticular functionality may be seen as “associated with” each othersuch that the desired functionality is achieved, irrespective ofarchitectures or intermedial components. Likewise, any two components soassociated can also be viewed as being “operably connected,” or“operably coupled,” to each other to achieve the desired functionality.

Furthermore, those skilled in the art will recognize that boundariesbetween the above described operations merely illustrative. The multipleoperations may be combined into a single operation, a single operationmay be distributed in additional operations and operations may beexecuted at least partially overlapping in time. Moreover, alternativeembodiments may include multiple instances of a particular operation,and the order of operations may be altered in various other embodiments.

Also for example, in one embodiment, the illustrated examples may beimplemented as circuitry located on a single integrated circuit orwithin a same device. Alternatively, the examples may be implemented asany number of separate integrated circuits or separate devicesinterconnected with each other in a suitable manner.

Also, the examples, or portions thereof, may implemented as soft or coderepresentations of physical circuitry or of logical representationsconvertible into physical circuitry, such as in a hardware descriptionlanguage of any appropriate type.

Also, the invention is not limited to physical devices or unitsimplemented in non-programmable hardware but can also be applied inprogrammable devices or units able to perform the desired devicefunctions by operating in accordance with suitable program code, such asmainframes, minicomputers, servers, workstations, personal computers,notepads, personal digital assistants, electronic games, automotive andother embedded systems, cell phones and various other wireless devices,commonly denoted in this application as ‘computer systems’.

However, other modifications, variations and alternatives are alsopossible. The specifications and drawings are, accordingly, to beregarded in an illustrative rather than in a restrictive sense.

In the claims, any reference signs placed between parentheses shall notbe construed as limiting the claim. The word ‘comprising’ does notexclude the presence of other elements or steps then those listed in aclaim. Furthermore, the terms “a” or “an,” as used herein, are definedas one or more than one. Also, the use of introductory phrases such as“at least one” and “one or more” in the claims should not be construedto imply that the introduction of another claim element by theindefinite articles “a” or “an” limits any particular claim containingsuch introduced claim element to inventions containing only one suchelement, even when the same claim includes the introductory phrases “oneor more” or “at least one” and indefinite articles such as “a” or “an.”The same holds true for the use of definite articles. Unless statedotherwise, terms such as “first” and “second” are used to arbitrarilydistinguish between the elements such terms describe. Thus, these termsare not necessarily intended to indicate temporal or otherprioritization of such elements. The mere fact that certain measures arerecited in mutually different claims does not indicate that acombination of these measures cannot be used to advantage.

While certain features of the invention have been illustrated anddescribed herein, many modifications, substitutions, changes, andequivalents will now occur to those of ordinary skill in the art. It is,therefore, to be understood that the appended claims are intended tocover all such modifications and changes as fall within the true spiritof the invention.

EXAMPLE EMBODIMENTS

Example 1 is a method for job execution, the method comprising:performing by a processing unit of a group of processing units of asystem, while avoiding interrupting a controller that does not belong tothe group, at least one iteration of the steps of: (a) entering atrusted mode, (b) selecting a selected job to be executed by theprocessing unit, (c) retrieving access control metadata related to theselected job, (d) entering, by the processing unit, an untrusted mode,(e) executing the selected job by the processing unit while adhering tothe access control metadata related to the job, and (f) resetting theprocessing unit.

In Example 2, the subject matter of Example 1 includes, performingmultiple iterations of steps (a)-(f), wherein at least a majority of theiterations are executed without interrupting the controller.

In Example 3, the subject matter of Examples 1-2 includes, whereinentering the trusted mode is executed during a boot process followingthe resetting of the processing unit.

In Example 4, the subject matter of Examples 1-3 includes, executing, bythe processing unit, the multiple iterations without intervention of thecontroller.

In Example 5, the subject matter of Examples 1-4 includes, reporting acompletion of the selected job.

In Example 6, the subject matter of Examples 1-5 includes, allocating,by the processing unit, an allocated job to another processing unit ofthe group; wherein the allocating comprises updating, by the processingunit and while in the trusted mode, metadata related to an execution ofthe allocated j ob.

In Example 7, the subject matter of Example 6 includes, wherein updatingthe metadata comprises updating a queue pointer, using an atomic commandexecution unit.

In Example 8, the subject matter of Examples 6-7 includes, whereinupdating the metadata precedes resetting the processing unit.

In Example 9, the subject matter of Examples 6-8 includes, whereinupdating the metadata follows resetting the processing unit.

In Example 10, the subject matter of Examples 1-9 includes, whereinselecting the selected job comprises selecting the selected job from oneof multiple job queues.

In Example 11, the subject matter of Example 10 includes, wherein thegroup of processing units comprise different types of processing unitand are arranged in clusters; and wherein the multiple job queuescomprise queues allocated per processing unit, queues allocated per typeof the processing units, and queues allocated per cluster.

In Example 12, the subject matter of Example 11 includes, whereinprocessing units of a cluster of the clusters comprise general purposeprocessing units.

In Example 13, the subject matter of Examples 11-12 includes, whereinprocessing units of a cluster of the clusters comprise hardwareaccelerators.

In Example 14, the subject matter of Examples 1-13 includes,determining, by the processing unit, whether to retrieve the accesscontrol metadata related to the selected job, and retrieving accesscontrol metadata related to the selected job only when determining toretrieve the access control metadata related to the selected job.

In Example 15, the subject matter of Examples 1-14 includes, storingstate metadata indicative of a process that comprises a last jobpreviously executed by the processing unit; and wherein the selecting ofthe selected job is followed by determining whether the selected jobbelongs to the process; wherein when the selected job belongs to theprocess then avoiding the retrieval of the access control metadatarelated to the selected job.

In Example 16, the subject matter of Examples 1-15 includes, retrieving,by the processing unit and while in the trusted mode, a commandoriginated from the controller; and executing the commands by theprocessing unit.

Example 17 is a processing unit, the processing unit one of a group ofprocessing units of a system, the processing unit comprising: aprocessor; and memory including instructions, which when executed by theprocessor while avoiding interrupting a controller that does not belongto the group of processing units, cause the processor to: perform atleast one iteration of the steps of: (a) entering a trusted mode, (b)selecting a selected job to be executed by the processing unit, (c)retrieving access control metadata related to the selected job, (d)entering, by the processing unit, an untrusted mode, (e) executing theselected job by the processing unit while adhering to the access controlmetadata related to the job, and (f) resetting the processing unit.

In Example 18, the subject matter of Example 17 includes, wherein theinstructions cause the processor to perform multiple iterations of steps(a)-(f), wherein at least a majority of the iterations are executedwithout interrupting the controller.

In Example 19, the subject matter of Examples 17-18 includes, whereinentering the trusted mode is executed during a boot process followingthe resetting of the processing unit.

In Example 20, the subject matter of Examples 17-19 includes, whereinthe instructions cause the processor to execute, by the processing unit,the multiple iterations without intervention of the controller.

In Example 21, the subject matter of Examples 17-20 includes, whereinthe instructions cause the processor to report a completion of theselected job.

In Example 22, the subject matter of Examples 17-21 includes, whereinthe instructions cause the processor to allocate, by the processingunit, an allocated job to another processing unit of the group; whereinthe allocating comprises updating, by the processing unit and while inthe trusted mode, metadata related to an execution of the allocated job.

In Example 23, the subject matter of Example 22 includes, whereinupdating the metadata comprises updating a queue pointer, using anatomic command execution unit.

In Example 24, the subject matter of Examples 22-23 includes, whereinupdating the metadata precedes resetting the processing unit.

In Example 25, the subject matter of Examples 22-24 includes, whereinupdating the metadata follows resetting the processing unit.

In Example 26, the subject matter of Examples 17-25 includes, whereinselecting the selected job comprises selecting the selected job from oneof multiple job queues.

In Example 27, the subject matter of Example 26 includes, wherein thegroup of processing units comprise different types of processing unitand are arranged in clusters; and wherein the multiple job queuescomprise queues allocated per processing unit, queues allocated per typeof the processing units, and queues allocated per cluster.

In Example 28, the subject matter of Example 27 includes, whereinprocessing units of a cluster of the clusters comprise general purposeprocessing units.

In Example 29, the subject matter of Examples 27-28 includes, whereinprocessing units of a cluster of the clusters comprise hardwareaccelerators.

In Example 30, the subject matter of Examples 17-29 includes, whereinthe instructions cause the processor to determine, by the processingunit, whether to retrieve the access control metadata related to theselected job, and retrieving access control metadata related to theselected job only when determining to retrieve the access controlmetadata related to the selected job.

In Example 31, the subject matter of Examples 17-30 includes, whereinthe instructions cause the processor to store state metadata indicativeof a process that comprises a last job previously executed by theprocessing unit; and wherein the selecting of the selected job isfollowed by determining whether the selected job belongs to the process;wherein when the selected job belongs to the process then avoiding theretrieval of the access control metadata related to the selected j ob.

In Example 32, the subject matter of Examples 17-31 includes, whereinthe instructions cause the processor to: retrieve, by the processingunit and while in the trusted mode, a command originated from thecontroller; and execute the commands by the processing unit.

Example 33 is a machine-readable medium including instructions, whichwhen executed by a processing unit of a group of processing units, causethe processing unit to perform operations while avoiding interrupting acontroller that does not belong to the group of processing units, causethe processor to: perform at least one iteration of the steps of: (a)entering a trusted mode, (b) selecting a selected job to be executed bythe processing unit, (c) retrieving access control metadata related tothe selected job, (d) entering, by the processing unit, an untrustedmode, (e) executing the selected job by the processing unit whileadhering to the access control metadata related to the job, and (f)resetting the processing unit.

In Example 34, the subject matter of Example 33 includes, performingmultiple iterations of steps (a)-(f), wherein at least a majority of theiterations are executed without interrupting the controller.

In Example 35, the subject matter of Examples 33-34 includes, whereinentering the trusted mode is executed during a boot process followingthe resetting of the processing unit.

In Example 36, the subject matter of Examples 33-35 includes, executing,by the processing unit, the multiple iterations without intervention ofthe controller.

In Example 37, the subject matter of Examples 33-36 includes, reportinga completion of the selected job.

In Example 38, the subject matter of Examples 33-37 includes,allocating, by the processing unit, an allocated job to anotherprocessing unit of the group; wherein the allocating comprises updating,by the processing unit and while in the trusted mode, metadata relatedto an execution of the allocated job.

In Example 39, the subject matter of Example 38 includes, whereinupdating the metadata comprises updating a queue pointer, using anatomic command execution unit.

In Example 40, the subject matter of Examples 38-39 includes, whereinupdating the metadata precedes resetting the processing unit.

In Example 41, the subject matter of Examples 38-40 includes, whereinupdating the metadata follows resetting the processing unit.

In Example 42, the subject matter of Examples 33-41 includes, whereinselecting the selected job comprises selecting the selected job from oneof multiple job queues.

In Example 43, the subject matter of Example 42 includes, wherein thegroup of processing units comprise different types of processing unitand are arranged in clusters; and wherein the multiple job queuescomprise queues allocated per processing unit, queues allocated per typeof the processing units, and queues allocated per cluster.

In Example 44, the subject matter of Example 43 includes, whereinprocessing units of a cluster of the clusters comprise general purposeprocessing units.

In Example 45, the subject matter of Examples 43-44 includes, whereinprocessing units of a cluster of the clusters comprise hardwareaccelerators.

In Example 46, the subject matter of Examples 33-45 includes,determining, by the processing unit, whether to retrieve the accesscontrol metadata related to the selected job, and retrieving accesscontrol metadata related to the selected job only when determining toretrieve the access control metadata related to the selected job.

In Example 47, the subject matter of Examples 33-46 includes, storingstate metadata indicative of a process that comprises a last jobpreviously executed by the processing unit; and wherein the selecting ofthe selected job is followed by determining whether the selected jobbelongs to the process; wherein when the selected job belongs to theprocess then avoiding the retrieval of the access control metadatarelated to the selected job.

In Example 48, the subject matter of Examples 33-47 includes,retrieving, by the processing unit and while in the trusted mode, acommand originated from the controller; and executing the commands bythe processing unit.

Example 49 is an apparatus for job execution, the apparatus comprising:means for performing by a processing unit of a group of processing unitsof a system, while avoiding interrupting a controller that does notbelong to the group, at least one iteration of the steps of: (a)entering a trusted mode, (b) selecting a selected job to be executed bythe processing unit, (c) retrieving access control metadata related tothe selected job, (d) entering, by the processing unit, an untrustedmode, (e) executing the selected job by the processing unit whileadhering to the access control metadata related to the job, and (f)resetting the processing unit.

In Example 50, the subject matter of Example 49 includes, means forperforming multiple iterations of steps (a)-(f), wherein at least amajority of the iterations are executed without interrupting thecontroller.

In Example 51, the subject matter of Examples 49-50 includes, whereinthe means for entering the trusted mode is executed during a bootprocess following the resetting of the processing unit.

In Example 52, the subject matter of Examples 49-51 includes, means forexecuting, by the processing unit, the multiple iterations withoutintervention of the controller.

In Example 53, the subject matter of Examples 49-52 includes, means forreporting a completion of the selected job.

In Example 54, the subject matter of Examples 49-53 includes, means forallocating, by the processing unit, an allocated job to anotherprocessing unit of the group; wherein the allocating comprises updating,by the processing unit and while in the trusted mode, metadata relatedto an execution of the allocated job.

In Example 55, the subject matter of Example 54 includes, wherein meansfor updating the metadata comprises updating a queue pointer, using anatomic command execution unit.

In Example 56, the subject matter of Examples 54-55 includes, whereinmeans for updating the metadata precedes resetting the processing unit.

In Example 57, the subject matter of Examples 54-56 includes, whereinmeans for updating the metadata follows resetting the processing unit.

In Example 58, the subject matter of Examples 49-57 includes, whereinmeans for selecting the selected job comprises selecting the selectedjob from one of multiple job queues.

In Example 59, the subject matter of Example 58 includes, wherein thegroup of processing units comprise different types of processing unitand are arranged in clusters; and wherein the multiple job queuescomprise queues allocated per processing unit, queues allocated per typeof the processing units, and queues allocated per cluster.

In Example 60, the subject matter of Example 59 includes, whereinprocessing units of a cluster of the clusters comprise general purposeprocessing units.

In Example 61, the subject matter of Examples 59-60 includes, whereinprocessing units of a cluster of the clusters comprise hardwareaccelerators.

In Example 62, the subject matter of Examples 49-61 includes,determining, by the processing unit, whether to retrieve the accesscontrol metadata related to the selected job, and retrieving accesscontrol metadata related to the selected job only when determining toretrieve the access control metadata related to the selected job.

In Example 63, the subject matter of Examples 49-62 includes, means forstoring state metadata indicative of a process that comprises a last jobpreviously executed by the processing unit; and wherein the selecting ofthe selected job is followed by determining whether the selected jobbelongs to the process; wherein when the selected job belongs to theprocess then avoiding the retrieval of the access control metadatarelated to the selected job.

In Example 64, the subject matter of Examples 49-63 includes, means forretrieving, by the processing unit and while in the trusted mode, acommand originated from the controller; and means for executing thecommands by the processing unit.

Example 65 is at least one machine-readable medium includinginstructions that, when executed by processing circuitry, cause theprocessing circuitry to perform operations to implement of any ofExamples 1-64.

Example 66 is an apparatus comprising means to implement of any ofExamples 1-64.

Example 67 is a system to implement of any of Examples 1-64.

Example 68 is a method to implement of any of Examples 1-64.

We claim:
 1. A method for job execution, comprising: performing by aprocessing unit of a group of processing units of a system, whileavoiding interrupting a controller that does not belong to the group, atleast one iteration of the steps of: (a) entering a trusted mode, (b)selecting a selected job to be executed by the processing unit, (c)retrieving access control metadata related to the selected job, (d)entering, by the processing unit, an untrusted mode, (e) executing theselected job by the processing unit while adhering to the access controlmetadata related to the job, and (f) resetting the processing unit. 2.The method according to claim 1, comprising performing multipleiterations of steps (a)-(f), wherein at least a majority of theiterations are executed without interrupting the controller.
 3. Themethod according to claim 1, wherein entering the trusted mode isexecuted during a boot process following the resetting of the processingunit.
 4. The method according to claim 1, comprising executing, by theprocessing unit, the multiple iterations without intervention of thecontroller.
 5. The method according to claim 1, comprising reporting acompletion of the selected job.
 6. The method according to claim 1,comprising allocating, by the processing unit, an allocated job toanother processing unit of the group; wherein the allocating comprisesupdating, by the processing unit and while in the trusted mode, metadatarelated to an execution of the allocated job.
 7. The method according toclaim 6, wherein updating the metadata comprises updating a queuepointer, using an atomic command execution unit.
 8. The method accordingto claim 6, wherein updating the metadata precedes resetting theprocessing unit.
 9. The method according to claim 6, wherein updatingthe metadata follows resetting the processing unit.
 10. The methodaccording to claim 1, wherein selecting the selected job comprisesselecting the selected job from one of multiple job queues.
 11. Themethod according to claim 10, wherein the group of processing unitscomprise different types of processing unit and are arranged inclusters; and wherein the multiple job queues comprise queues allocatedper processing unit, queues allocated per type of the processing units,and queues allocated per cluster.
 12. The method according to claim 11,wherein processing units of a cluster of the clusters comprise generalpurpose processing units.
 13. The method according to claim 11, whereinprocessing units of a cluster of the clusters comprise hardwareaccelerators.
 14. The method according to claim 1 comprisingdetermining, by the processing unit, whether to retrieve the accesscontrol metadata related to the selected job, and retrieving accesscontrol metadata related to the selected job only when determining toretrieve the access control metadata related to the selected job. 15.The method according to claim 1, comprising storing state metadataindicative of a process that comprises a last job previously executed bythe processing unit; and wherein the selecting of the selected job isfollowed by determining whether the selected job belongs to the process;wherein when the selected job belongs to the process then avoiding theretrieval of the access control metadata related to the selected job.16. The method according to claim 1, comprising: retrieving, by theprocessing unit and while in the trusted mode, a command originated fromthe controller; and executing the commands by the processing unit.
 17. Aprocessing unit, the processing unit one of a group of processing unitsof a system, the processing unit comprising: a processor; and memoryincluding instructions, which when executed by the processor whileavoiding interrupting a controller that does not belong to the group ofprocessing units, cause the processor to: perform at least one iterationof the steps of: (a) entering a trusted mode, (b) selecting a selectedjob to be executed by the processing unit, (c) retrieving access controlmetadata related to the selected job, (d) entering, by the processingunit, an untrusted mode, (e) executing the selected job by theprocessing unit while adhering to the access control metadata related tothe job, and (f) resetting the processing unit.
 18. The processing unitaccording to claim 17, wherein the instructions cause the processor toperform multiple iterations of steps (a)-(f), wherein at least amajority of the iterations are executed without interrupting thecontroller.
 19. The processing unit according to claim 17, whereinentering the trusted mode is executed during a boot process followingthe resetting of the processing unit.
 20. The processing unit accordingto claim 17, wherein the instructions cause the processor to execute, bythe processing unit, the multiple iterations without intervention of thecontroller.
 21. The processing unit according to claim 17, wherein theinstructions cause the processor to report a completion of the selectedjob.
 22. The processing unit according to claim 17, wherein theinstructions cause the processor to allocate, by the processing unit, anallocated job to another processing unit of the group; wherein theallocating comprises updating, by the processing unit and while in thetrusted mode, metadata related to an execution of the allocated job. 23.The processing unit according to claim 22, wherein updating the metadatacomprises updating a queue pointer, using an atomic command executionunit.
 24. The processing unit according to claim 22, wherein updatingthe metadata precedes resetting the processing unit.
 25. The processingunit according to claim 22, wherein updating the metadata followsresetting the processing unit.
 26. The processing unit according toclaim 17, wherein selecting the selected job comprises selecting theselected job from one of multiple job queues.
 27. The processing unitaccording to claim 26, wherein the group of processing units comprisedifferent types of processing unit and are arranged in clusters; andwherein the multiple job queues comprise queues allocated per processingunit, queues allocated per type of the processing units, and queuesallocated per cluster.
 28. The processing unit according to claim 27,wherein processing units of a cluster of the clusters comprise generalpurpose processing units.
 29. The processing unit according to claim 27,wherein processing units of a cluster of the clusters comprise hardwareaccelerators.
 30. The processing unit according to claim 17, wherein theinstructions cause the processor to determine, by the processing unit,whether to retrieve the access control metadata related to the selectedjob, and retrieving access control metadata related to the selected jobonly when determining to retrieve the access control metadata related tothe selected job.
 31. The processing unit according to claim 17, whereinthe instructions cause the processor to store state metadata indicativeof a process that comprises a last job previously executed by theprocessing unit; and wherein the selecting of the selected job isfollowed by determining whether the selected job belongs to the process;wherein when the selected job belongs to the process then avoiding theretrieval of the access control metadata related to the selected job.32. The processing unit according to claim 17, wherein the instructionscause the processor to: retrieve, by the processing unit and while inthe trusted mode, a command originated from the controller; and executethe commands by the processing unit.
 33. A machine-readable mediumincluding instructions, which when executed by a processing unit of agroup of processing units, cause the processing unit to performoperations while avoiding interrupting a controller that does not belongto the group of processing units, cause the processor to: perform atleast one iteration of the steps of: (a) entering a trusted mode, (b)selecting a selected job to be executed by the processing unit, (c)retrieving access control metadata related to the selected job, (d)entering, by the processing unit, an untrusted mode, (e) executing theselected job by the processing unit while adhering to the access controlmetadata related to the job, and (f) resetting the processing unit.